• No results found

Medical Data flows in the Landelijk Schakelpunt: A research into the digitized electronic health record in the Netherlands analysed from a privacy and security point of view

N/A
N/A
Info
Downloaden
Protected

Academic year: 2021

Share "Medical Data flows in the Landelijk Schakelpunt: A research into the digitized electronic health record in the Netherlands analysed from a privacy and security point of view"

Copied!
74
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Download het nu ( 74 pagina )

Hele tekst

(1)

Medical Data flows in the

Landelijk Schakelpunt

A research into the digitized electronic health record in the

Netherlands analysed from a privacy and security point of view.

Marissa de Beeld s1698214

Master Thesis

Crisis and Security Management Leiden University

January 16th 2020

Supervisor: dr. T. van Steen Second reader: dr. T. Tropina Words: 18.718

(2)

Abstract

Due to the ever-increasing developments in information and communication technologies, more and more processes are being digitized. These include among others processes from the public sector such as education and healthcare. In 2011, the Dutch Senate has withdrawn from the design of the Electronic Health Record (EPD) because the system was found to be insufficient reliable and secure for medical data exchange. However, the advantages of such a system were acknowledged and permission was given for the development of a system with a similar purpose. From January 2012 onwards, the Vereniging van Zorgaanbieders voor Zorgcommunicatie (VZVZ) is responsible for the private restart of a system to digitally exchange medical data, which is called the Landelijk Schakelpunt.

This research analyses to what extent the design of the Landelijk Schakelpunt (LSP) is improved in terms of privacy compared to the earlier rejected Electronic Health Record (EPD). The analysis is executed by applying the NIST Cyber Security Framework, which consists of five phases: (1) identify, (2) protect, (3) detect, (4) respond, and (5) recover. The application of the conceptual model had a dual function. It created more insight into which privacy elements are already visible in the system. Besides, it displayed weak elements, which offers an opportunity for further incorporation of privacy. After completing the analysis there will be a reflection on the findings and the effects will be outlined. Besides, recommendations will be explicated that reinforce the privacy concept within the LSP's business operations by focusing on the substantive system, the humans that have to deal with the system, and the perspective of patients in which the importance of data control is high. This research will end with suggestions for future research to offer even more insight in the issue that is in scope.

(3)

List of Abbreviations

AP Autoriteit Persoonsgegevens (Dutch Data Protection Authority) DPIA Data Protection Impact Assessment

EPD Elektronisch Patiëntendossier (Electronic Health Record)

EU European Union

IGJ Inspectie Gezondheidszorg en Jeugd

ISACA Information Systems Audit and Control Association GBZ Goed Beheerd Zorgsysteem (Well managed care system) GDPR General Data Protection Regulation

GZN Goed Beheerd Zorgnetwerk (Well managed care network) LSP Landelijk Schakelpunt

NIST National Institute of Standards and Technology RMF Risk Management Framework

RvIG Rijksdienst voor Identiteitsgegevens

VWS Ministerie van Volksgezondheid, Welzijn en Sport VZVZ Vereniging van Zorgaanbieders voor Zorgcommunicatie WGBO Wet op Geneeskundige Behandelingsovereenkomst

(4)

Table of Contents

Abstract ... 2 List of Abbreviations ... 3 1. Introduction ... 5 1.1 Research Question ... 7 1.2 Relevance ... 8 1.3 Reading guide ... 9 2. Body of knowledge ... 10 2.1 Background information ... 10 2.2 Academic perspectives... 13 2.3 Theoretical framework ... 16 2.3.1 Privacy ... 16

2.3.2 NIST Cyber Security Framework ... 18

2.3.3 Conceptual framework ... 21 3. Methodology ... 23 3.1 Research design ... 23 3.2 Data collection ... 24 3.3 Data analysis ... 25 3.3.1 Identify ... 26 3.3.2 Protect... 27 3.3.3 Detect ... 28 3.3.4 Respond ... 28 3.3.5 Recover ... 29 3.4 Reliability ... 30 4. Analysis ... 31 4.1 Identify... 31 4.2 Protect ... 37 4.3 Detect ... 43 4.4 Respond ... 47 4.5 Recover ... 51 5. Conclusion ... 54 5.1 Reflection ... 54 5.2 Effects ... 55 5.3 Limitations ... 57 5.4 Final conclusion ... 59 6. Literature ... 60

Appendix 1: Data analysis schedules ... 64

1. Identify ... 64

2. Protect ... 65

3. Detect ... 67

4. Respond... 68

5. Recover ... 69

Appendix 2 – List of accepted healthcare information systems ... 70

(5)

1. Introduction

Due to the ever-increasing developments in information and communication technologies, more and more processes are being digitized. These include, among others, processes from the public sector such as education and health care. Zooming in on the healthcare sector, digitization has meant that it is currently possible to take healthcare related information in different formats and deliver these items in the same basic format at high speeds (Dwivedi et al., 2002). It is also possible to combine different formats of information - such as sound, video, animation, text and graphics - and present them in an interactive manner. The advantages of digital processes in the healthcare sector seem endless, but there are also important disadvantages that require more attention. When the information of medical records of patients is being digitized, more sensitive personal data needs to be stored, but meanwhile the security and privacy of these records also need to be guaranteed.

On May 28th 2018 the General Data Protection Regulation (GDPR) entered into force. This regulation describes new requirements regarding the processing of personal data and has been called the toughest privacy and security law in the world (Welford, 2019). Initially, it has been drafted and passed by the European Union (EU), but it imposes obligations onto organizations anywhere as long as data related to people in the EU is targeted or collected. The regulation itself exists of 99 articles and might be experienced as large, far-reaching, and light on specifics, which makes it more difficult for organizations to become GDPR compliant (Welford, 2019). However, there are fines against those who violate the privacy and security standards, with penalties reaching into millions of euros.

To check whether organizations still meet their lawful obligations different institutions have been appointed in European countries. In the Netherlands this institution is called the Autoriteit Persoonsgegevens (AP), which is also the organization where clients can practice their rights such as the right of access, right to rectification and right to erasure, and where data breaches need to be reported. During the first half of 2019, the Dutch Data Protection Authority (AP) received 11,906 reports of data breaches. In case this trend continues, the AP expects an increase of 14 per cent for 2019 compared to 2018 (AP, 2019a). Since the entry into force of the data breach-reporting obligation, the AP receives most reports from the healthcare sector. The largest number of data breach reports within the healthcare sector comes from hospitals (23%) and pharmacies (22%). Most notifications are made after sending personal data

(6)

to the wrong recipient. Smaller healthcare institutions such as health and welfare organizations (24%), social services (15%) and dentists (6%) report data leaks due to hacking, malware or phishing more often than larger healthcare institutions (AP, 2019a). To reduce these numbers, the AP provides healthcare institutions with tips to prevent a number of common types of data breaches.

One digital innovation that may increase, instead of decrease, the number of data breach reports is the Landelijk Schakelpunt (LSP). LSP is the successor of the electronic health record (EPD). In this new system medical data of patients is exchanged "anonymised" by identifying patients based on social security numbers. The disadvantage of this system is the danger that these numbers can easily make a link between information from different files (AP, 2019b). Due to the high risks and the number of disadvantages, there has been a difficult introduction of the electronic health record after the first initiation, which also emphasizes the lack of confidence from a political point of view. After the Dutch Senate quit the national EPD it called for a reliable infrastructure to exchange medical data between doctors and other medical specialists (Modderkolk, 2015). Because the Senate had withdrawn, the LSP got a private restart in 2012. The responsible party of this private restart is the ‘Vereniging van Zorgaanbieders voor Zorgcommunicatie’ (VZVZ), which exists of four umbrella organizations for healthcare providers: the umbrella organizations for general practitioners, general practitioner posts, pharmacies and hospitals (VZVZ, 2019).

Meanwhile, the system has been further developed and identification still takes place by inserting the social security number, meaning an easy target for cyber criminals that want to benefit from identity theft. To combat cyber crime, the Central Identity Fraud and Errors Reporting Center (CMI) was established as part of the National Service for Identity Data (RvIG), from the Ministry of Interior (BZK). This institution provides a platform for reporting identity theft, gives tips to prevent it and offers advice and support when an individual has become a victim (RvIG, 2019).

Due to the difficult establishment of the LSP – the withdrawal of the Dutch Senate and the private restart of the VZVZ – it would be expected that the critical remarks that were given throughout the entire process received sufficient attention to guarantee the safety and privacy of this system. This research will assess whether this expectation could be justified.

(7)

1.1 Research Question

To address the gap in the existing literature, this research explores how security and privacy of the Landelijk Schakelpunt are arranged. More specifically, this research focuses on the use of social security numbers in the digitized system of providing insight in medical records. On one hand, it is attractive to use a digital system with easy access to medical health records. When there are accidents or other situations where adequate help is needed, there will be little time lost on identification and corresponding personal information. On the other hand, it is necessary to control and guarantee the security and privacy of patients. Therefore, the following explorative research question will guide this research:

To what extent is the design of the Landelijk Schakelpunt (LSP) improved in terms of privacy compared to the earlier rejected Electronic Health Record (EPD), when applying the NIST Cyber Security Framework?

This study will use a case study approach to thoroughly analyse the

establishment of the Landelijk Schakelpunt. The research will explore in-depth and by semi-structured interviews how different involved parties experience this system. Therefore, respondents will exist of a mix between the different identified stakeholders. First of all, patients can be identified since they are the ones whose personal data is recorded. Patients are in this research conceptualized as chronically ill people that have to deal with different healthcare institutions. Another identified stakeholder exist of privacy specialists, whom are able to explain how privacy is defined in legislation and what are the patient’s rights. Furthermore, IT auditors will be interviewed because of their focus on the IT infrastructure and content of digitized systems. The NIST Cyber Security Framework, which will be explained in detail in section 2.3.2, exists of five different phases that will be analysed based on various standards (Appendix 1). IT auditors are familiar with these kinds of frameworks. Besides privacy specialists and IT auditors, medical specialists also must be identified as stakeholders. Examples of these specialists are general practitioners, nurses and pharmacists. The perspectives of medical specialists are of great importance since they are the ones that actually work with the system and can indicate the role and functioning of the LSP within their daily working activities.

(8)

Digital innovations are focused on new combinations of digital and physical components to produce new products (Yoo, Henfridsson & Lyytinen, 2010). Examples are physical products that are made programmable, addressable, communicable, and traceable. The Landelijk Schakelpunt system relies on digitization, but a digital innovation is also susceptible to undesirable purposes of criminals, such as identity theft. Thus, this research attempts to analyse how the successor of the Electronic Health Record (EPD) has been improved to provide a safe and secure new system, the Landelijk Schakelpunt (LSP), in terms of privacy. This will be done by analyzing the privacy concept, in combination with the perspectives from the NIST cyber security framework. The following sub questions will guide this study:

1. How could the concept ‘privacy’ be defined?

2. How could the NIST Cyber Security Framework be interpreted from a privacy point of view?

3. What role did privacy have in the Electronic Health Record (EPD)? 4. To what extent are security and privacy measures incorporated in the design

of the Landelijk Schakelpunt (LSP) to introduce a more stable system compared to the rejected EPD?

1.2 Relevance

This research is scientifically relevant because the risks may be underestimated in relation to the benefits that the LSP can offer. With the arguable reliability of identification based on social security numbers, the privacy of every patient may be questioned. Due to the ever-increasing developments of digitization, more and more information is being published on the Internet, which means that cyber criminals are increasingly thinking of new ways to misuse personal data. To prevent this, various legal guidelines and standards have been drawn up, such as the General Data Protection Regulation (GDPR) and the ISO 27001 standard. During the initiation and design of the system, the main focus was laid on how it could be introduced from a legal point of view. However, a legal perspective alone cannot ensure sufficient reliability of a system, because there always remains a dependence on substantive knowledge and application of that knowledge. There are still humans whom will have to learn to deal with the system (Officiële Bekendmakingen, 2011).

This research is socially relevant because it can affect everyone in society. Every patient is forced to make a choice whether they do or do not want to share their

(9)

medical data via the LSP. However, there appear to be many consequences to this choice, which reduces the non-committal aspect. A survey by EenVandaag has shown that patients who do not want to share their medical data often have difficulties in receiving their medication, or do not receive medication at all at a random pharmacy (Nu.nl, 2017). The prescriptions that patients obtain from their general practitioner, dentist or specialist sometimes prove to be insufficient to actually obtain the prescribed medication, creating the impression that they must first be affiliated with the LSP before they can receive medication. This research therefore focuses on the design and management of the LSP, and how this system is evolved to guarantee security and privacy compared to the earlier rejected electronic health record (EPD).

1.3 Reading guide

This first chapter has given more insight in the subject, research design and relevance of this thesis. The following chapter will focus on the body of knowledge, including the research object, an exploration of various academic perspectives and the theoretical framework. Chapter three will discuss the methods used in this research, explaining how data will be collected and analyzed, followed by zooming in on the possible limitations in terms of reliability and validity. Chapter four focuses on the analysis of the different findings, followed by the fifth chapter that will address the conclusion and discussion, finalized with recommendations.

(10)

2. Body of knowledge

The previous chapter described the cause, research question and relevance of this research. This chapter will focus on the theoretical framework that will be used. First, the research object LSP will be explained followed by an exploration of various academic perspectives. Thereafter, the theoretical concept will be addressed, existing of the NIST cyber security framework and an assessment of how the phases of the NIST framework are applicable in this research.

2.1 Background information

In 2008, the Ministry of Health, Welfare and Sport (VWS) initiated the Electronic Health Record (EPD). At the start three goals have been identified. The first goal concerns the centralization of knowledge transfer, which occurs because all medical information of a patient becomes accessible from any location, while the information is stored scattered at different health care providers. Theoretically, this should reduce the chance of an incorrect diagnosis or treatment. The second goal focuses on increasing efficiency, whereby written documentation is avoided and research is not duplicated. The additional advantage of this goal is the reduction of costs. The third goal focuses on long-term quality improvement. The effect of certain treatment methods can be better monitored and assessed by analysing the data in the electronic patient portal (Kamerstukken, 2006).

However, a major debate has taken place in the Dutch Lower House since the finding that the EPD system would not be sufficiently secure for the exchange of medical data (ZorgNu, 2017). As a result, in 2011 the Senate decided the EPD would not be implemented. However, since then a private restart has been made on developing a similar system that also revolves around the exchange of medical data from patients, called the Landelijk Schakelpunt (LSP). To prevent the LSP from encountering the same difficulties, various studies have been conducted into the risks associated with digitizing the electronic patient portal. First, there is a risk that unauthorized persons will gain access to the system, which may ultimately lead to cyber criminals viewing, changing, copying and publishing patient’s personal data. Another risk is the carelessness of authorized users. A small error can have many consequences because all care providers can request the records. In addition, the possible misuse of the stored data is risky because data can be used for a purpose other than for which it was recorded (ZonMw, 2019).

(11)

The LSP consists of a network to which healthcare providers can join, a so-called "healthcare infrastructure". This network enables providers to consult medical data of their patients in each other's systems at any time (Volg Je Zorg, 2019a). The earlier discussion about the safety of the EPD is attempted to be resolved because the LSP has been specially developed and secured for this purpose. The Landelijk Schakelpunt therefore does not form a database, because the medical data is not stored (Volg Je Zorg, 2019a). The information about patients can be viewed while the data remains in the files at general practitioners and pharmacies. When a patient has given consent, the medical specialists report the social security number to the reference index in the LSP. By searching for this social security number, other care providers can consult medical information, which may be necessary prior to starting treatment (Volg Je Zorg, 2019a).

Due to the earlier remarks that have been placed with the EPD, it is expected that the LSP has been more responsive with security and privacy matters during the design phase. A number of measures have been taken to achieve a high quality of information security (Volg Je Zorg, 2019b). The first measure concerns the fact that healthcare providers cannot naturally connect to the network. The computer system of the healthcare provider is checked against strict security requirements before receiving access. In addition, a healthcare provider can only log in with a special pass and password. Another measure is the mandatory consent of a patient before a healthcare provider can share the medical data. This is not possible without permission. In addition, only healthcare providers who are in charge of a patient’s treatment may view the relevant medical data. An additional component here is that it actually must be necessary for that treatment. To verify this, close supervision takes place. The network keeps track of what healthcare provider has viewed what data and at what amount of time. A patient has the right to check this. In addition, this option is also included in legislation and regulations such as the GDPR and the Dutch Medical Treatment Agreement Act (WGBO) (Volg Je Zorg, 2019b).

The Vereniging van Zorgaanbieders voor Zorgcommunicatie (VZVZ) consists of four umbrella organizations of care providers: the umbrella organizations of general practitioners (LHV), general practitioner posts (InEen), pharmacies (KNMP) and hospitals (NVZ). Since January 1st 2012, this party has been designated as responsible for the electronic exchange of medical data via the Landelijk Schakelpunt (VZVZ, 2019). The organization investigates how the system can be optimized. In 2018, the

(12)

VZVZ published the report "Effects and benefits of the use of health care infrastructure", which states the LSP has become an important tool for data exchange in Dutch health care (ICT & health, 2018). Measurements in 2015 clearly differ from measurements in 2017 where a significant increase in exchange can be observed. This is partly due to an increase in the number of affiliated general practitioner practices and pharmacies, and more awareness of the aspect of explicitly granting consent. In addition, significantly more information about medication was requested. However, research by the Radar Test Panel shows that a majority of the 35,000 members surveyed do not know the LSP has been introduced (ZorgNu, 2017). It is remarkable that people indicate they do not know whether or not they are connected to the system, since it entails their personal data.

Studies of this kind suggest there is a gap between the intentions and perceptions of policymakers and practitioners on one hand, and patients whose medical data can be viewed through the LSP on the other hand. In order to determine whether this actually entails negative consequences and risks, such as the loss of privacy and the disclosure of personal data, institutions with monitoring and supervisory functions have been set up, such as the Dutch Data Protection Authority (AP) and the Inspectie Gezondheidszorg en Jeugd (IGJ). The AP sets guidelines on, among other things, the use of the social security number and protection of access to medical data. Regarding the use of the social security number, healthcare providers have a legitimate legal basis to use it for the performance of their duties, by being considered as independent administrative bodies. However, consulting social security numbers is only permitted when it is considered necessary (AP, 2019b). The guidelines concerning the protection of access of medical data include for example the method of authorization, such as how it is determined which person in charge has access to which patient records and when. Another example is the method of logging and checking, such as whether there will be recorded who and when a file is consulted. The AP serves the important function of removing concerns about privacy. The IGJ is also concerned with safeguarding privacy by supervising personal care, publishing independent judgments, and openness to improve care (Rijksoverheid, 2019).

(13)

2.2 Academic perspectives

Digitization takes place within various parts of the healthcare sector. Different applications have been developed and marketed to assist in the process of diagnosis, but according to Jutel & Lupton (2015) little attention has been paid to the content, claims, potential risks, limitations, or benefits of these apps. The authors identify easy access to medical data and a convenient diagnostic tool for medical specialists as great advantages, but they also acknowledge numerous significant potential harms (Jutel & Lupton, 2015). These harms entail conflict of interest, transparency, ethical and privacy issues, the accuracy of content, healthcare delivery and the doctor-patient relationship. Jutel & Lupton (2015) warn both patients and practitioners to use medical apps with great caution in the context of evidence-based practices.

Abouelmehdi et al. (2017) argue the trend of digitizing healthcare can be explained by the limitless opportunities for big data in health research, knowledge discovery, clinical care, and personal health management. By gaining more insight in processes the quality of healthcare could be improved. However, there are also obstacles and challenges identified. These exist of technical challenges, privacy and security issues, and skilled talent (Abouelmehdi et al., 2017). To reduce risks of these identified obstacles regarding the security and privacy of healthcare data, different technologies have been introduced, such as authentication, encryption, data masking, and access control (Abouelmehdi et al., 2017).

Patil & Seshadri (2014) argue that the ever increasing cost for healthcare and increased healthcare premiums lead to the need for proactive healthcare and wellness. Digitizing medical records result in an increase in sheer volume of data in terms of complexity, diversity and timeliness. Patil & Seshadri (2014) agree with Abouelmehdi et al. (2017) that big data is seen as the solution, but they argue that is because of the cost reducing priority while also wanting to improve the care process, delivery and management. By using big data mechanisms, security and privacy issues continue to grow (Patil & Seshadri, 2014). Patil & Seshadri (2014) argue that this is partly due to the prominence of big data, resulting in hosting companies that become more reluctant to share massive healthcare data for centralized processing.

Schneider et al. (2014) focus on the safety of health information technology, resulting in several dimensions: using health IT to make care safer, ensuring that health IT is safe itself, and ensuring that health IT is used safely. The potential for health IT to improve the safety of health care delivery has been appreciated for decades, but the

(14)

role of health IT in introducing safety risks has been recognized for not that long (Schneider et al., 2014). As the use of health IT has grown, users have begun to observe what it could mean for them and their personal data. There are multiple situations that could occur such as hardware and software can malfunction, data can be lost or corrupted during transmission, deploying complex technologies in a complex organizational environment can introduce new hazards and safety risks. According to Schneider et al. (2014) identifying and mitigating health IT safety risks is a relatively new concept for most health care organizations.

When zooming in on the introduction of the Electronic Health Record (EPD) Groothuis (2007) emphasizes in her article that the process of whether or not to implement the EPD has taken a lot of time and the legal framework involves many layers. Rules concerning the use of personal and medical data are laid down at international, European and national levels. A distinction is made between the fundamental right to respect for privacy as laid down in Article 17, paragraph 1 of the International Covenant on Civil and Political Rights (ICCPR); Article 8, paragraph 1, of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR); and Article 10, paragraph 1, of the Dutch Constitution. In addition, there is also Directive 95 / 46l / EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data; the Personal Data Protection Act (Wbp) which has been changed to the General Data Protection Regulation (GDPR); the Civil Code and other guidelines as drawn up by the AP.

According to Schulman (2004), despite legislation and regulations being laid down, safety must be seen as an illusion: safe organizations do not exist because results achieved in the past offer no guarantee for future safety of any organization. From this point of view it may never be the case that the Landelijk Schakelpunt could be classified as a safe and secure system.

Privacy lawyer Solove does not agree with Schulman (2004). According to Solove it is not a problem that information about individuals is collected, but the lack of insight into where and how this data is used must be seen as a problem (Martijn & Tokmetzis, 2016). This increases the power of data collecting and sharing governments and institutions. To gain more insight into the handling of data, the system will have to be studied in terms of content.

(15)

One way to gain this insight Martijn & Tokmetzis (2016) address is by applying the NIST Cyber Security Framework. This framework consists of five different phases: (1) Identify, (2) Protect, (3) Detect, (4) Respond, and (5) Recover. When the phases are combined, the functions provide a high-level, strategic view of the lifecycle of an organization’s management of cyber security risk (NIST, 2018). This is partly due to the fact that there is a clear structure, by identifying underlying key categories and subcategories for each function. After considering the various perspectives, this research will be conducted on the basis of the NIST cyber security framework. The choice for this perspective was made because this concept does not only deal with technical measures, but it also focuses on the human aspect of a system. In addition, this framework is applicable to the complex environment in which the Landelijk Schakelpunt is involved. The next section will explain in detail how this framework can be applied.

(16)

2.3 Theoretical framework

This section elaborates on the theoretical concept that forms the central point of view in this research, based on analysing the concept of privacy, the NIST Cyber Security Framework and the conceptual framework in which the NIST framework is studied from a privacy perspective.

2.3.1 Privacy

Although the importance of privacy is being discussed and published more often, the concept seems difficult to interpret. According to Cuijpers (2007), privacy is experienced as complex because the concept is difficult to consider on its own, but depends on the context in which it is placed. In this case, privacy is an umbrella term that can be divided into various dimensions, including relational, physical, territorial, and communicative privacy. Because the concept has been broadened over time, there is a growing tendency in which not only the private sphere must be protected, but also privacy in public spaces must be guaranteed (Cuijpers, 2007).

Koops & Vedder (2001) also acknowledge that privacy is a complex concept, and contextual factors such as technical, social, and economic developments are of influence. The authors distinguish three ways in which privacy is given meaning: (1) spatial privacy, (2) intimacy or individual self-determination, and (3) informational privacy. This research focuses on the third category. Informational privacy deals with the protection of personal data. The term privacy is used here as a defence against unwanted disclosure of information about the privacy of an individual, including medical information (Koops & Vedder, 2001). By shaping laws and regulations such as the GDPR, a common core concept is formulated, which can also be specified per domain by taking contextual and functional factors into account. The GDPR protects patients by introducing rules on for example permission and limiting insight by third parties. In addition to the value of freedom or self-determination, there is also a monitoring function with regard to the dissemination of personal information. With this control mechanism, patients themselves are able to determine and maintain relationships with others and institutions (Koops & Vedder, 2001).

This study focuses on the privacy of patients who have given consent to have their medical data requested via the LSP. The automation processes within the healthcare domain include various IT applications whereby connections between different actors are realized (Keizer, 2011). This concerns both doctor-doctor (D2D)

(17)

and doctor-patient (D2P) and patient-patient (P2P) connections. Within the health care domain, patients and other stakeholders appear to be more aware of the importance of privacy, which can be explained from their dependent and vulnerable position (Keizer, 2011). Undergoing medical treatment is without exception a violation of personal space and affects physical privacy. In addition, absolute privacy cannot be spoken of, since communication between healthcare provider and healthcare consumer is and will remain necessary. Medical information is about informational privacy, with attention being paid to protecting information and data against unauthorized intruders. However, there are potential risks here, as the rationale behind the LSP focuses on making medical data available as efficiently and effectively as possible, with the challenge of being able to manage and control information flows. To analyse how the information flows of the LSP are managed and controlled, the NIST Cyber Security Framework will be applied. This concept will be explained in the following section.

(18)

2.3.2 NIST Cyber Security Framework

The US National Institute of Standards and Technology (NIST) encourages organizations to collaborate on the plans, assessments, plans of action, and milestones to maximize efficiency and reduce duplication of effort. The objective is to ensure that security and privacy requirements derived from laws, executive orders, directives, regulations, policies, standards, or missions and business functions are adequately addressed, and the appropriate controls are selected, implemented, assessed, and monitored on an ongoing basis (NIST, 2018). The Cyber Security Framework consists of five different phases as shown in figure 1: (1) Identify, (2) Protect, (3) Detect, (4) Respond, and (5) Recover.

Figure 1: NIST Cyber Security Framework by Stickman Consulting (2019).

These five phases form the core of the framework and consist of cyber security activities, desired outcomes, and applicable references that are common across sectors

(19)

that are dealing with critical infrastructures. The core presents industry standards, guidelines, and practices in a manner that allows for communication of cyber security activities and outcomes across the organization. It also represents the executive level to the implementation/operations level (NIST, 2018). When the five phases are considered together, the functions provide a high-level, strategic view of the lifecycle of an organization’s management of cyber security risk. This is partly due to the fact that it identifies underlying key categories and subcategories for each function and that these will be matched with informative references such as existing standards and guidelines (NIST, 2018)

During the first phase identification takes place. The goal of this phase is to develop an organizational understanding to manage cyber security risk to systems, people, assets, data, and capabilities (NIST, 2018). The activities during this phase are foundational for an effective use of the framework, since it forms the basis for the following phases. It is of great importance to understand the business context, the resources that support the critical functions, and the related cyber security risks that enables an organization to define priorities. These priorities will be in alignment with the risk management strategy and business needs (NIST, 2018). Examples of functions that will be focused on during the identification phase entail asset management, business environment, governance, risk assessment, and risk management strategy (NIST, 2018).

After the identification phase, there comes a protection phase. The goal of this phase is to develop and implement appropriate safeguards to ensure delivery of critical services (NIST, 2018). The protection is focused on the ability to limit or contain the impact of a potential cyber security threat. This means that on one hand technical factors of the system need to be ensured in terms of security, and on the other hand human factors that need to work with the system should be trained and learned how to deal with the system. The function is provided with categories as identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology (NIST, 2018).

The protection phase is followed by the detection phase. During this phase the focus lies on developing and implementing appropriate activities to identify the occurrence of a cyber security event (NIST, 2018). Where the protection phase could be seen as a phase focused on prevention, the detection phase must be seen as a possibility to intervene when something goes wrong. The function is provided with

(20)

categories as anomalies and events, security continuous monitoring, and detection processes (NIST, 2018).

After the detection phase, a respond phase enters. The goal of this phase is to develop and implement appropriate activities to take actions regarding the earlier detected cyber security incident (NIST, 2018). The respond function supports the ability to contain the impact of a potential cyber security incident. Taking appropriate technical and organizational measures could minimize the consequences of the threat. After these measures are taken, it is of great importance to focus on the crisis communication. The respond function is provided with categories as response planning, communications, analysis, mitigation, and improvements (NIST, 2018).

After the respond phase, there is the last phase that entails recovery. The goal of this phase is to develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security incident (NIST, 2018). After an incident has taken place the organization needs to recover as soon as possible, to continue their services in a more safe and secure manner. Timely recovery to normal operations can reduce the impact from the incident. The recovery function is supported with categories as recovery planning, improvements, and communications (NIST, 2018).

The NIST Cyber Security Framework must be interpreted as more than a set of basic components, since it is also critical how an organization implements the framework (Shackelford et al., 2015). The implementation varies significantly in different industries. Due to the rapidly evolving cyber threats the framework is equipped with critical infrastructure settings (Shackelford et al., 2015). These settings create flexibility and enable organizations to supplement an already existing cyber security management. The Information Systems Audit and Control Association (ISACA) represents over 100,000 cyber security, governance, and assurance professionals working within different domains. ISACA assisted in the development of the NIST Cyber Security Framework, and marketed the framework by the numerous industry associations they represent. Both governments and business leaders see opportunities in public-private partnerships to develop globally workable cyber security policies. As a consequence, more industries such as energy, IT, manufacturing, retailing and other sectors join ISACA and adopt the NIST Cyber Security Framework (Shackelford et al., 2015).

(21)

2.3.3 Conceptual framework

In the previous section the NIST Cyber Security Framework is explained. This section will combine the privacy concept with this framework to assess how these phases are relevant with the establishment of the Landelijk Schakelpunt from a privacy perspective.

The first phase focuses on identification, in which an organizational understanding will be developed to manage cyber risks. This understanding entails a focus on the system, people, assets, data, and capabilities. When it comes to the Landelijk Schakelpunt it is essential to create a stable basis and make sure everyone who is working with the system is aware of how to deal with it. From a privacy perspective, the only way the LSP could be seen as successful is when the security of personal data and medical records of patients is guaranteed. One category of identification is asset management, which focuses on physical devices and software platforms. In addition, communication and data flows will be mapped even as external information systems. Besides resources, a clear structure of cyber security roles and responsibilities is needed. To generate more insight into the domain of the LSP the business environment will be analysed, even as the governance that is applicable. These entail on one hand the legal and regulatory environments, but also dependencies of the critical service. Furthermore, the assessment and documentation of asset vulnerabilities, and internal and external threats may identify possible risks, from which can be learned and developed into a stable risk management strategy.

The second phase focuses on protection, in which appropriate safeguards are developed to ensure the delivery of the critical service. LSP is without doubt a critical service, since it entails sensitive information and operates within a complex environment. From a privacy perspective, implementing the protection phase into the business operations of the LSP is of great importance to guarantee a safe medical health record. This could be done by focusing on identity management and authentication such as the protection of physical access, but also by organizing permissions and network integrity. In addition to technical measures that are taken, human factors also should be trained to work with the system. This could be done by awareness trainings that inform users about their roles and responsibilities. Furthermore, data itself needs to be protected. Ways to do this are by implementing checking mechanisms, information protection procedures, and by periodic maintenance. When measures are taken, it is

(22)

also important to keep track of how they evolve, by logging records and communications and control networks.

The third phase focuses on detection, in which appropriate activities to identify the occurrence of a cyber security event is developed and implemented. Even after giving much attention to the identification and protection phase, it is possible that a cyber security incident may happen. In that case it is of great importance to detect the threat as soon as possible, so relevant measures could be taken directly. From a privacy perspective one hopes to never enter the detect phase, because it means a threat is already occurring. However, organizations need to be well prepared in case incidents do occur. To minimize the leakage of personal data and health records of the Landelijk Schakelpunt it is therefore important to react adequately. Focusing on the potential impact an incident entails could do this, by analysing attack targets and methods, and incident alerts. In addition, continuous monitoring is necessary, focusing on both system activity and personnel activity. Besides, also in this phase it remains important that roles and responsibilities are clear to the involved users.

These previous described phases – identify, protect, detect - are all occupied with the prevention of cyber security incidents at the Landelijk Schakelpunt. Phase four and five – respond and recover – are from a privacy perspective phases which an organization hopes will never occur because the risk of losing personal data and medical records is too critical. However, incidents can always happen so an organization must be prepared in order to face and resolve them. When the organization finds itself in the respond phase it needs to have a planning and procedure to coordinate communications, for both internal and external stakeholders. Besides, the situation needs to be analysed to create insight in risks and consequences. After generating a shared understanding of the situation and context improvements should be planned. These may exist of different technical and organizational measures. The planning of improvements evolves into implementation during the fifth phase: recovery. The previously described measures and improvements are during the recovery phase not only executed, but they also need to be communicated. Clear communication is needed so data subjects whose personal data may be lost know what is being done to protect their data against further distribution.

(23)

3. Methodology

The previous chapter described the body of knowledge, including the privacy concept and the NIST Cyber Security Framework. This chapter explains which methods will be used in this research, by addressing the research design, the method of data collection, and the method of analysis. In addition, the reliability and validity of this study will be also discussed.

3.1 Research design

The purpose of this research is to assess whether the implementation of the Landelijk Schakelpunt (LSP) is strengthened in terms of privacy in relation to the previously prepared and rejected Electronic Health Record (EPD). More specifically, this research focuses on the use of social security numbers in the digitized system of providing insight in patient’s medical data. The contradiction that applies here is the attractiveness to use a digital system with easy access to medical health records, but also the ongoing necessity to control and guarantee the security and privacy. To analyse this from a privacy perspective, the NIST cyber security framework will be applied within a holistic case study approach.

As described earlier, a digital system that contains confidential information such as personal data is a complex process that involves many risks. The LSP is only part of the total range of digital services to which personal data applies. Studying a specific component in detail helps to gain more insight into the entire situation. The approach of a case study is particularly suitable for this type of research because it is possible to focus on a single unit (Gerring, 2004). Moreover, a case study makes it possible to investigate a relatively small number of cases, to collect information about different characteristics, to perform analyses in a 'natural' environment and it is not necessarily a must to create a comparative analysis with other cases (Gomm, Hammersley & Foster, 2009).

The LSP can be considered as an innovative system with a focus on efficiency. The accessibility of medical records is increased because the data of a patient can be viewed in one system. When a patient is involved in a serious accident and is transported to the nearest hospital, doctors can respond immediately when consent is given for the viewing of personal data via the LSP system. As a result, the medical specialists quickly gain insight into the condition of a patient, which theoretically increases the chance of effective treatment. However, at first glance the focus on

(24)

efficiency does not automatically appear to promote a system’s security. The purpose of this case study is to gain a deeper understanding of the functioning of the Landelijk Schakelpunt and how risks are minimized so a secure application can be offered and privacy can be guaranteed.

3.2 Data collection

In order to collect data, qualitative semi-structured interviews are used as the main source in this study, supplemented by a document study. This research is aimed at analysing the privacy element of the digitized LSP, examining both the substantive aspects and perceptions of patients and stakeholders, so interviewing is the most suitable method to formulate an answer. This approach enables the researcher to gain detailed insight into the analysed object, because subjective ideas, perspectives and feelings can be investigated. Moreover, semi-structured interviews ensure flexibility. This means that "spontaneous" follow-up questions are possible when it seems that a certain topic is important to the respondent during the interview. Also topics that were not identified before the start of the interviews can be given attention with semi-structured interviews. This method of data collection makes it possible for a researcher to delve deeper into the topic and to keep asking questions until it is fully clear what the perspective of the respondent includes, and to be able to place this in the right context (Bryman, 2015). The semi-structured interview is therefore a tool for obtaining in-depth data on perceptions and opinions, which is in line with the purpose of this study.

Illuminating different perspectives, the theoretically established system can be compared with the image of patients and employees who work with the system in practice. The various actors that can be identified as involved include the policy makers who set up the system, and the policy executives such as general practitioners, pharmacists and other medical specialists. In addition, there are patients whose medical data can be viewed. Finally, specialists with substantive knowledge about the safety and risks of such systems can be identified. This includes the chance that unauthorized persons have access to the data and to what extent privacy is guaranteed. The aim is to explain the different sides and experiences of those involved with the Landelijk Schakelpunt.

(25)

People from different stakeholder groups have agreed to serve as a respondent for this research. Amongst them are patients, whose personal data have been recorded and are accessible by the LSP. Besides, privacy specialists are identified whom are found to be relevant because they are able to explain how privacy is defined in legislation and what are the patient’s rights according to the GDPR. Furthermore, also different IT auditors have agreed on doing an interview for this research. Their focus on the IT infrastructure and content of digitized systems is expected to be relevant in order to generate a detailed understanding of the Landelijk Schakelpunt system. IT auditors are familiar with frameworks like the NIST Cyber Security Framework. Besides privacy specialists and IT auditors, medical specialists are also identified as stakeholders. Examples of these specialists are general practitioners, nurses and pharmacists. Several general practitioners and nurses have already agreed to serve as a respondent for this research. The perspectives of medical specialists are relevant and of great importance since they are the ones that actually work with the system and can indicate the role and functioning of the LSP within their daily working activities.

To provide a complete picture of the situation in scope, a document analysis will be conducted in addition to the interviews. Introducing the electronic portal in which medical data can be viewed by social security number as identification method has taken a lot of time, and more and more risks become visible. The document analysis will focus on both policies of establishing the Electronic Health Record (EPD) and Landelijk Schakelpunt (LSP), since this research analyses to what extent the design of the LSP is improved in terms of privacy compared to the EPD. The prepared policy documents of both EPD and LSP are publicly available, as are the documents of the House of Representatives. These documents from the Dutch Senate indicate the original initiatives, thoughts on electronic health systems, and why there has been a withdrawal from the EPD from a privacy and security perspective. Overall, the documents will mainly represent the theoretical perspective, which will be supplemented by a practical perspective that will be apparent mainly from the interviews.

3.3 Data analysis

Section 2.3.3 addressed the conceptual framework that is applicable in this research. It showed that the three phases – identify, protect and detect – are all occupied with the prevention of cyber security incidents at the Landelijk Schakelpunt. The fourth and fifth phase – respond and recover – are from a privacy perspective phases that

(26)

organizations hope to never enter, because the risk on losing personal data and medical records is too critical. However, organizations need to be prepared for each phase in case an incident occurs. The following sections describe the different phases and the corresponding categories and subcategories, which indicate focus points for fulfilling the concerned phase originating from the NIST Cyber Security Framework (NIST, 2018).For full criteria lists see Appendix 1.

3.3.1 Identify

The Identify (ID) phase exists of five different categories: Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy. Focusing on Asset Management (AM) the data, personnel, devices, systems and facilities that enable an organization to fulfil its goals are analysed. In addition to resources as physical devices and software platforms, external information systems, communications and cyber security roles and responsibilities are mapped and established. Zooming in on the Business Environment (BE), the organization’s mission, objectives, stakeholders, and activities are studied. This means assessing the organization’s role in the supply chain, but also its place in the (critical) industry. Furthermore, an understanding of priorities is formed as well as dependencies and resilience requirements. Assessing the Governance (GV) entails policies, procedures, and processes to monitor regulatory, legal, risk, environmental, and operational requirements. Furthermore Risk Assessment (RA) focuses on whether the organization understands the cyber security risk to organizational operations, assets, and individuals. This is done by identifying asset vulnerabilities, cyber threat intelligence and other internal and external threats. After the identification of threats and their potential impacts, the organization’s priorities, constraints, risk tolerances and assumptions are established in an organization’s Risk Management Strategy (RM). Not only should the processes be established and managed, but also organizational stakeholders should agree with them. The categories of the Identify (ID) phase can be schematically represented as follows:

Function Identifier Category

Identify (ID) ID.AM Asset Management ID.BE Business Environment ID.GV Governance

ID.RA Risk Assessment

(27)

3.3.2 Protect

The Protect (PR) phase exists of six different categories: Identity Management, Authentication and Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology. Identity Management, Authentication and Access Control (AC) focuses on the access to physical and logical assets by users. This can be done by managing verified identities and credentials, remote access, permissions and authorizations. In addition, the network integrity needs to be protected. Awareness and Training (AT) involves the education of an organization’s personnel and partners. All users should be informed so they understand their roles and responsibilities. Data Security (DS) entails the management of information and records, which need to be consistent with the organization’s risk strategy. Data in every stage such as in transition, removal, transfers, and disposition need to be secured. This also involves protection against data leakage and integrity checks. The Information Protection Processes and Procedures (IP) addresses security policies to maintain and manage the protection of information systems and assets. Subcategories that complement this category are baseline configuration, system development life cycle, backup policies and deletion procedures. Also, response plans and recovery plans need to be in place and managed. Maintenance (MA) focuses on industrial control and performed information system components, which need to be consistent with policies and procedures. It is important that internal and remote maintenance are logged and controlled. Lastly, Protective Technology (PT) involves technical security solutions to ensure security and resilience of systems and assets. Subcategories are the documentation, implementation and review of audit and log records, the protection of communications and control networks and implemented mechanisms to achieve the resilience requirements. The categories of the Protect (PR) phase can be schematically represented as follows:

Function Identifier Category

Protect (PR) PR.AC Identity Management and Access Control PR.AT Awareness and Training

PR.DS Data Security

PR.IP Information Protection Processes and Procedures PR.MA Maintenance

(28)

3.3.3 Detect

The Detect (DE) phase exists of three different categories: Anomalies and Events, Security Continuous Monitoring, and Detection Processes. Anomalies and Events (AE) focuses on the detection of anomalous activity and creates understanding of the potential impact of events. A baseline of network operations and expected data flows for users and systems is established and managed, detected events are analysed to understand attack targets, and event data are collected. In addition, the impact is determined and an incident alert is established. Security Continuous Monitoring (CM) zooms in on monitoring information systems and assets to identify possible cyber security threats and to verify the effectiveness of protective measures. This means that the network, physical environment, and personnel activity are monitored. In addition, when malicious codes, unauthorized codes or external service provider activities are found, they also need to be labelled as detected, so further actions can be taken. During Detection Processes (DP) the focus is laid on maintaining and testing detection procedures and ensuring awareness of anomalous events. Roles and responsibilities for detection need to be well defined, compliance with applicable requirements needs to be assured and event detection information needs to be communicated. Furthermore, continuous improvement is a high priority. The categories of the Detect (DE) phase can be schematically represented as follows:

Function Identifier Category

Detect (DE) DE.AE Anomalies and Events

DE.CM Security Continuous Monitoring DE.DP Detection Processes

3.3.4 Respond

The Respond (RS) phase is a phase that an organization hopes will never enter from a privacy perspective. However, organizations must be prepared for incidents that may occur. The Respond phase exists of five categories: Response Planning, Communications, Analysis, Mitigation, and Improvements. Response Planning (RP) entails the procedures that are executed and maintained to ensure a quick response to detected cyber security incidents. Communications (CO) zooms in on coordination with internal and external stakeholders. This means that personnel are aware of their roles and the order of operations, incidents are reported, and information is shared. During Analysis (AN) effective response and recovery activities are discussed. In an ideal situation notifications from detection systems are investigated, the impact of incidents

(29)

are understood, forensics are performed, and incidents are categorized in consistency with response plans. When it comes to Mitigation (MI) an organization needs to perform activities to prevent expansion of an incident, mitigate its effects and resolve the incident. Also newly identified vulnerabilities need to be mitigated or documented as accepted risks. Finally, Improvements (IM) entails the improved organizational response activities by incorporating lessons from current and previous detection activities. Response strategies need to be regularly updated. The categories of the Response (RS) phase can be schematically represented as follows:

Function Identifier Category

Respond (RS) RS.RP Response Planning RS.CO Communications RS.AN Analysis

RS.MI Mitigation RS.IM Improvements

3.3.5 Recover

The Recover (RC) phase is also a phase that an organization hopes will never enter from a privacy perspective. However, organizations must be prepared for incidents that may occur. The Recover phase exists of three categories: Recovery Planning, Improvements, and Communications. Recovery Planning (RP) involves the execution of recovery processes and procedures. These also need to be maintained to ensure restoration of systems or assets that are affected by cyber security incidents. Improvements (IM) during the recover phase differ from improvements during the response phase. Response improvements entail organizational response activities, and recovery improvements incorporate lessons learned in recovery plans and strategies. Communications (CO) entails the coordination of restoration activities with internal and external parties. These involve the management of both public relations and reputation. The categories of the Recovery (RC) phase can be schematically represented as follows:

Function Identifier Category

Recover (RC) RC.RP Recovery Planning RC.IM Improvements RC.CO Communications

(30)

3.4 Reliability

Joppe (2000) defines reliability as the extent to which results are consistent over time and an accurate representation of the total population under study and if the results can be reproduced under a similar methodology, then the research instrument is considered to be reliable (Golafshani, 2003). The policies of the EPD and the LSP are documented and publicly available. Besides, the reports of all discussions of the Dutch Senate are published on their website. These documents do not change over time, it is only possible that new documents will be published, that supplement older documents. Using the methodology of this research, it may occur that subjective answers during interviews differ. However, if the GDPR does not change substantially it is not expected that privacy specialists interpret the law differently. Also IT auditors will be interviewed because of their knowledge of frameworks as the NIST Cyber Security Framework. It is not expected that this framework will change. Using the same method as this research should therefore lead to reliable outcomes.

Joppe (2000) defines validity as the instrument that determines whether the research truly measures what was intended to measure or how truthful the research results are (Golafshani, 2003). The research question focuses on to what extent the design of the Landelijk Schakelpunt (LSP) is improved in terms of privacy compared to the Electronic Health Record (EPD). This research will be executed by applying the NIST Cyber Security Framework. By creating insight from patients themselves, privacy specialists, the ones that work with the system as medical specialists, and people that focus on these kinds of frameworks this research is expected to be valid.

(31)

4. Analysis

The previous chapters described the body of knowledge and methods that guide this research. In section 2.3.3 the privacy concept was combined with the NIST Cyber Security framework. The five different phases, (1) Identify, (2) Protect, (3) Detect, (4) Respond, and (5) Recover will now be analysed by the conducted interviews and studied documents.

4.1 Identify

The identification phase focuses on developing a shared organizational understanding to manage cyber threats, by managing the system, people, assets, data, and capabilities. From a privacy perspective, the only way the Landelijk Schakelpunt could be seen as successful is when the security of personal data and medical records of patients is guaranteed. To assess whether this criterion is fulfilled, five categories are identified: asset management, business environment, governance, risk assessment and the risk management strategy.

One priority is asset management. Access to physical devices and systems is necessary in all healthcare institutions. VZVZ has set a three-step procedure with criteria that need to be fulfilled in order to receive a connection to the LSP (VZVZ, 2019a). One of these steps addresses how to deal with electronic identities. Theoretically, employees receive a card and in combination with the corresponding PIN code they are authenticated. All interviewed medical specialists confirmed this procedure. Besides, authorization is also important which entails the specific rights of use (VZVZ, 2019a). Dependent of one’s specific role, the account has limited access functions. The modules to which no access has been granted cannot be viewed either. In addition to the arrangement of roles VZVZ has set different checks and balances such as a division in cybersecurity tasks and responsibilities.

Besides asset management, focus is laid on the business environment. The Ministry of Health, Welfare and Sport (VWS) set the following objective for the EPD: 'to make (parts of) the patient record integrated and electronically accessible, irrespective of place and time, with a view to patient-oriented care’. The national implementation started in September 2008, and in order to ensure a smooth realization a number of conditions have been drawn up, including lessons from practical experiences, audits, and the BSN Healthcare Use Act (Wbsn-z). In 2012, the Dutch School for Public Administration published a study concerning an evaluation of crucial

(32)

moments in the EPD decision-making process and improvements for IT processes in the healthcare sector (NSOB, 2012). The publication argues the ministry was mainly focused on the realization of the EPD, and conceived it as a planned process to be settled. In retrospect, it seems an emergent strategy would have been more applicable, whereby strategy adjustments can be made during the process, which therefore responds more to current events. VZVZ indicates that during the period 2012 - 2015 focus was set on the commissioning of the national healthcare infrastructure and arranging the associated governance of the LSP (VZVZ, 2015). Period 2016 - 2020 concentrates on intensifying the use of the infrastructure and the development of new functionalities, facilities and new users (VZVZ, 2015). To define and clarify the role of the national healthcare infrastructure in data exchange, an extensive SWOT analysis has been executed, describing opportunities, threats, strengths, vulnerabilities, success factors, barriers and risks. The result is: "a barrier-free use of the infrastructure throughout the entire chain is the guideline for everything we do" (VZVZ, 2015). It is recognized that at the same time there are components of the LSP that still need to be solved, the need for data and functionalities continues to increase, and the LSP chain can contribute more to medication monitoring and verification. In addition, the patients are a central point of focus, the pilot regions form examples to follow, and a trust model is active in coordinating the chain (VZVZ, 2015). To continue to meet expectations, focus on research, development and innovation is important. VZVZ decided to continue the path taken in order to achieve optimum use through a robust management organization with regard to technology, architecture and user support. The second focus is on innovation and further improvements. It is defined that these two aspects should not impede each other in priority and staffing, but must be implemented synergistically. Different stakeholders can be identified, such as the patients whom share their data, medical specialists that need to work with the data, the AP and IGJ that control if legal requirements are met.

Focusing on governance, VZVZ states that reports show the availability of healthcare information is good. At the same time, it sometimes seems unclear to stakeholders such as care providers, managers and representatives how to deal with incidents and disruptions (VZVZ, 2019e). The procedure is separated in a description for end users, a description for representatives of end users and a detailed description for administrators. Furthermore, administrators report malfunctions to the service desk of the party where the cause of the malfunction lies. It is only allowed to contact

Referenties

Download het nu ( PDF - 74 pagina - 1.22 MB )

GERELATEERDE DOCUMENTEN

Een onderzoek naar revolverende fondsen in Nederland: hoe effectief is de rechtsbescherming tegen financieringsbeslissingen van private fondsen gevuld met publiek geld?

Gelet op het voorgaande, luidt mijn probleemstelling in deze scriptie: Op welke wijze staat rechtsbescherming open tegen financieringsbeslissingen van revolverende fondsen die

Wagemann, Sheila, Educatief Ontwerpen, Duits

Bij het ontwerpen van het hier voorgestelde prototype (lessenreeks) stond de volgende ontwerphypothese centraal: “Als leerlingen bij mijn lessenreeks over

Modeling and analysis of non-isothermal chemical reaction networks: A port-Hamiltonian and contact geometry approach

Other than for strictly personal use, it is not permitted to download or to forward/distribute the text or part of it without the consent of the author(s) and/or copyright

Think tanks and Foreign Policy - A qualitative analysis of the United States and the European Union divergent trade policies vis-à-vis China

- A qualitative analysis of the United States and the European Union divergent trade policies vis-à-vis China –.. Marine Leleux S2582023

IJsbrand van Diemerbroeck: verhandeling over de pest: ingeleid, vertaald en van aantekeningen voorzien

Tegen deze achtergrond worden in het navolgende enige gegevens gepresenteerd die de lezer op weg kunnen helpen bij het vormen van een beeld van Van Diemerbroeck en

Ticagrelor for Secondary Prevention of Atherothrombotic Events After Myocardial Infarction: An Evidence Review Group Perspective of a NICE Single Technology Appraisal

Abstract The National Institute for Health and Care Excellence (NICE) invited AstraZeneca, the manufacturer of ticagrelor (Brilique  ), to submit evidence on the clinical and

A contact model for sticking of adhesive meso-particles

In particular, we study the dependence of the coefficient of restitution for two meso- particles on impact velocity and contact/material parameters, for a wide range of im-

University of Groningen Assessment of Dyslexia in the Urdu Language Haidry, Sana

The high discriminatory ability of our test, between typical and struggling readers as well as within struggling readers, was indicative of DRM’s relevance (Chapter 2).